The only problem I see here is needing data based on contract obligations, I have seen lots of sites packing the data collection into privacy policy or some shady contract, thinking that this is legitimate interest. But legitimate interest is actually the hardest part of GDPR, even if most people think it is a workaround. If you can provide the service without some personal data (not due to financial claims) you can't pack those under "better user expirience" as legitimate interest. I presume, that after 25th, google will stop tracing searches for EU users for example. Legitimate interest has a long recital behind it and is a real problem to do it right unless legalislation requires the data. I would stick to consent for everything else. Just mentioning.
There is only two ways of legitimate interest that I considered for my service; "security" and "better user experience".
The data collected under the former is simply the IP and a timestamp in webserver and app logs, usually purged within 7 days and then any user data included in backups, purged after 3 months.
"better user experience" is not really personal data but I included it anyways; browser type (mozilla/edge/etc.), viewport resolution, pageload time, OS. And not stored in a way that allows correlating them.
> processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
Let me put it this way: if I found out this guy was using my IP address and machine config to do analytics and perform "security" checks, I'd report him to my regulator. Dead serious.
"Analytics" is not what his company is for, ergo, using my Personal Data to do analytics isn't okay. He sure as hell isn't doing it for my benefit. I'm also not hiring him for security, so the same reasoning applies: he doesn't get to store my IP address in his logs without asking.
And when I say "no" to his opt-in modal, he'll still have to provide me non-degraded service. The fact that he can do so is yet another indicator that the data collection is not a legitimate interest.
The security of their network is a legitimate interest. The regulator would see that alone as sufficient reason to gather data, especially if that data is mostly discarded 7 days later.
No. They could start looking at IPs once they actually had a security problem, but there's no way in hell they "need" to write my IP address hither and yon to protect their network.
Look, you can definitely discover and monitor for problems by simply hashing IPs and storing the hash instead. Once you've detected a potential problem (say, a lot of requests from the same hash), only then do you have a "legitimate business need" to record the actual IP addresses and do some short-term analysis of the situation.
The spirit of the law is simple: if you don't absolutely need to store personal data, DON'T. Just don't. Store something else. Or just drop the data into /dev/null. Saying that you'll delete soon the personal-data-you-don't-need isn't sufficient.
And really, if this is the way GDPR compliance is going to go, "muh security" is quickly going to gain the reputation as the bullshit reason shady people trot out who want to disobey the law. People who actually care about security should push back on that strongly.
I don't think that it relates to you, but maybe just for others: "better user expirience" is not something without it your website could work. If this means handling PI (for analytics (GA way, not local) for instance), you cant just flush it down the legitimate interest.
Over the thumb: you can use it for things were you need PI for your service to work, it is normal, that you request address if you operate the online shop, you can't deliver the goods without it, while analytics is something users don't need and is not required for your service to operate.
I was just writting complaint letter to my phone/isp company where they showelled marketing, questionars, threat assesment (not IT security, customer assessment) analytics and few other fishy things into legitimate interest, without even providing information about which data they use and why exactly. Legitimate interest is a really nasty thing and it is hard to get it right, it is not free "get out of jail" card.
